The Dutch Data Protection Authority has announced that a €725,000 (US$791,000) General Data Protection Regulation (GDPR) fine will be applied to a firm that was discovered to be scanning its employees’ biometrics using a fingerprint time and attendance system.

The decision was reached by the authority due to the fact that the company, which was not identified in the findings that were published, could not provide a sound reasoning for implementing this fingerprint-scanning system.

The decision that was released to the public the Dutch Data Protection Authority said that, in most instances, using biometric data to record employee activity is forbidden under GDPR. Exceptions to this would be if explicit consent has been given or if there are extra security reasons necessary and normal measures are sufficient for achieving this aim.

The Dutch Data Protection said, in relation to the tracking of biometric data to review employee activity, that “this category of personal data is extra protected by law. If these data get into the wrong hands, this could potentially lead to irreparable damage. Such as blackmail or identity fraud,” comments AP Vice President Monique Verdier, per Google translation. “A fingerprint cannot be replaced, such as a password. If things go wrong, the impact can be huge and have a lifelong negative effect on someone. The relationship between employers and employees also generally prevents legal consent, which “must be unambiguous, specific, informed and free.”

This is not the first time that a group has been sanctioned in relation to activity like this. The Swedish Data Protection Authority (DPA) sanctioned the state authority in the Skelleftea region 200,000 Swedish Krona ($20,700) for trialing facial recognition on high-school students in Sweden to keep track of attendance without seeking the adequate permissions to do so during 2019. In March 2020 a school in Poland was penalized for using tracking software to record attendance.

In the first half of 2019, the CNIL (French Data protection authority) established a list of rules for biometric data tracking in relation to GDPR. It can be ascertained that EU data protection authorities require an explicit reason for tracking and see that outright permission has be given, in order to allow biometric tracking.